HADOOP-14029. Fix KMSClientProvider for non-secure proxyuser use case. Contributed by Xiaoyu Yao.

(cherry picked from commit 2034315763cd7b1eb77e96c719918fc14e2dabf6)
(cherry picked from commit 6b602c6e3496d36a15a1f633c67f1a0e76e38b7d)

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/crypto/key/kms/KMSClientProvider.java

@@ -1059,13 +1059,14 @@ public class KMSClientProvider extends KeyProvider implements CryptoExtension,
       // Use real user for proxy user
       actualUgi = currentUgi.getRealUser();
     }
-
-    if (!containsKmsDt(actualUgi) &&
+    if (UserGroupInformation.isSecurityEnabled() &&
+        !containsKmsDt(actualUgi) &&
         !actualUgi.hasKerberosCredentials()) {
-      // Use login user for user that does not have either
+      // Use login user is only necessary when Kerberos is enabled
+      // but the actual user does not have either
       // Kerberos credential or KMS delegation token for KMS operations
-      LOG.debug("using loginUser no KMS Delegation Token "
-          + "no Kerberos Credentials");
+      LOG.debug("Using loginUser when Kerberos is enabled but the actual user" +
+          " does not have either KMS Delegation Token or Kerberos Credentials");
       actualUgi = UserGroupInformation.getLoginUser();
     }
     return actualUgi;

hadoop-common-project/hadoop-kms/src/test/java/org/apache/hadoop/crypto/key/kms/server/TestKMS.java

@@ -2285,7 +2285,11 @@ public class TestKMS {
 
   public void doWebHDFSProxyUserTest(final boolean kerberos) throws Exception {
     Configuration conf = new Configuration();
-    conf.set("hadoop.security.authentication", "kerberos");
+    if (kerberos) {
+      conf.set("hadoop.security.authentication", "kerberos");
+    }
+    UserGroupInformation.setConfiguration(conf);
+
     final File testDir = getTestDir();
     conf = createBaseKMSConf(testDir, conf);
     if (kerberos) {